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Office Action Summary 



Application No. 
08/927,382 



Applicant(s) 



Coss et al. 



Examiner 



Robert Crockett 



Group Art Unit 
2787 




Kl Responsive to communication(s) filed on Sep 12, 1997 . 

□ This action is FINAL. 

□ Since this application is in condition for allowance except for formal matters, prosecution as to the merits is closed 
in accordance with the practice under Ex parte Quayfe, 1935 CD. 11; 453 O.G. 213. 



A shortened statutory period for response to this action is set to expire 



month(s), or thirty days, whichever 



is longer, from the mailing date of this communication. Failure to respond within the period for response will cause the 
application to become abandoned. (35 U.S.C. § 133). Extensions of time may be obtained under the provisions of 
37 CFR 1.136(a). 



Disposition of Claims 

Kl Claim(s) 1-26 



is/are pending in the application. 



Of the above, claim(s) 
□ Claim(s) 



K Claim (s) 1-26 

□ Claim(s) 

□ Claims 



is/are withdrawn from consideration. 

is/are allowed. 

is/are rejected. 

is/are objected to. 



are subject to restriction or election requirement. 



Application Papers 

Kl See the attached Notice of Draftsperson's Patent Drawing Review, PTO-948. 

□ The drawing(s) filed on is/are objected to by the Examiner. 

□ The proposed drawing correction, filed on is Qpproved 

□ The specification is objected to by the Examiner. 

□ The oath or declaration is objected to by the Examiner. 



disapproved. 



Priority under 35 U.S.C. § 119 

□ Acknowledgement is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d). 
□ All □ Some* dNone of the CERTIFIED copies of the priority documents have been 

□ received. 

□ received in Application No. (Series Code/Serial Number) . 

□ received in this national stage application from the International Bureau (PCT Rule 17.2(a)). 

. ^Certified copies not received: .. . . . ... . .__ 



□ Acknowledgement is made of a claim for domestic priority under 35 U.S.C. § 119(e). 

Attachment(s) 

Kl Notice of References Cited, PTO-892 

Kl Information Disclosure Statement(s), PTO-1449, Paper No(s). 5 

□ Interview Summary, PTO-413 

Kl Notice of Draftsperson's Patent Drawing Review, PTO-948 

□ Notice of Informal Patent Application, PTO-152 



— SEE OFFICE ACTION ON THE FOLLOWING PAGES — 



U. S. Patent and Trademark Office 

PTO-326 (Rev. 9-95) 



Office Action Summary 



Part of Paper No. 



PART III. DETAILED ACTION 



Drawings 

1 . This application has been filed with informal drawings which are acceptable for 
examination purposes only. Formal drawings will be required when the application is allowed. 



Claim Rejections - 35 USC §103 
2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



Claims 1-26 are rejected under 35 USC 103(a) as being unpatentable over Shwed (US 5606668). 



As per claims 1-7, 17-21, and 22-26, Shwed (US 5606668) describes a security system for a 
computer network that implements packet filtering (column 3, lines 59-65). Shwed teaches 
that his system applies a particular security rule to an incoming packet (column 7, lines 
14-24) based on data extracted from the incoming packet (column 8 lines 39-49 and Fig 8). 



As per claim 1, Shwed does not explicitly teach that his system derives a session key for 
the incoming packet. However, processing the extracted packet data in the Shwed invention 
(column 8, line 39 to column 9, line 63) would have been recognized by one of ordinary 
skill in the art, at the time the invention was made, as an obvious equivalent to deriving 
a session key for the incoming packet, because a session key indicates which security rule 
to use for a particular packet. Shwed further teaches that a specific TCP destination 
port may be among the data extracted from the incoming packet (columns 9, line 64 to column 
10, line 14). Shwed further teaches that his system is implemented using gateways having 
multiple network interfaces (Fig 2), where the gateway is connected through a router to 
the Internet. 

As per claims 2, 3, 4, 5, 19, 21, 24, and 26, Shwed does not explicitly teach that his 
invention processes all types of Internet protocol packets, such as UDP packets, or all 
useful packet data, such as IP addresses. However, the Internet was well-known to those of 
ordinary skill in the art, at the time the invention was made, to utilize layered 
communication protocols, including UDP in addition to TCP, and it was also well-known to 
those skilled in the art that methods used to extract data from the headers of TCP packets 
could be utilized to extract data from UDP packets as well, and that these methods could 
have been utilized to extract many types of packet header information, including source 
address, destination address, next-level protocol, source port, and destination port data. 
It would have been obvious to one skilled in the art, at the time the invention was made, 
to program the Shwed invention to process all types of Internet protocol packets and to 
extract all useful packet header data to assist in security rule decision making, because 




this would have been easy to accomplish within the Shwed system and would enable the Shwed 
system to meet a wide range of user security requirements. 

As per claims 6, 7, 18, 20, 23, and 25, Shwed teaches that his system is implemented using 
gateways having multiple network interfaces (Fig 2), where the gateway is connected 
through a router to the Internet. Gateways were well-known to those of ordinary skill in 
the art, at the time the invention was made, to allow packets to be routed to different 
network interfaces based on well-known routing algorithms, and that these routing 
algorithms could be simply and favorably utilized in conjunction with network security 
algorithms like those taught by Shwed (column 8 lines 39-49 and Fig 8). 

As per claims 8-11, 12-15, and 16, Shwed (US 5606668) describes a security system for a 
computer network that implements packet filtering (column 3, lines 59-65). Shwed teaches 
that his system applies a particular security rule to an incoming packet (column 7, lines 
14-24) based on data extracted from the incoming packet (column 8 lines 39-49 and Fig 8). 

As per claims 8, 9, 10,J3, and 14, Shwed does not explicitly teach the use of multiple 
independent security policies, administered by separate administrators and applied to 
different groups. However, Shwed further teaches (column 4, lines 27-67) that a system 
administrator may create security rules, and may designate that network objects be 
separated into sub-groups or domains, where sub-groups may utilize different sets of 
security rules (column 4, lines 23-26 and lines 50-57) which would implement multiple sets 



of security policies. (Shwed uses as an example a communication group composed of a 
company's CEO, CFO, directors; security rules could be set up in the Shwed system to 
allow direct communication by this group, but not others, to a finance group (column 4, 
lines 59-63).) It would have been obvious to one of ordinary skill in the art, at the time 
the invention was made, to allow the creation of specific security rules for a particular 
sub-group of network objects, because this could be accomplished with little modification 
to the Shwed system, and because the creation of independent security policies by the 
creation of multiple sets of rules would give users of the Shwed system the benefits of 
hierarchies of security. 

As per claims 1 1, 15, and 16, although Shwed does not explicitly teach that only the 
administrator of a domain is allowed to modify the security policy rules for that domain, 
it would have been obvious to one of ordinary skill in the art, at the time the invention 
was made, to restrict the creation of security rules for a particular sub-group of network 
objects to a particular system administrator, because this could be accomplished with 
little, if any, modification to the Shwed system, and because the creation of rules by a 
specialist in a particular domain would give the benefits of increased security and 
confidence in the Shwed system. 



Conclusion 



Any response to this action should be mailed to: 



Commissioner of Patents and Trademarks 



Washington, D.C. 20231 



or faxed to: 



(703) 308-9051, (for formal communications intended for entry) 



Or: 



(703) 305-9731, (for informal or draft communications, please label 
"PROPOSED" or "DRAFT") 



Hand delivered responses should be brought to Crystal Park II, 2121 Crystal Drive VA 
sixth Floor (Receptionist) 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Robert Crockett whose telephone number is (703) 305-6107. The examiner 
can normally be reached Monday-Thursday from 7:30 AM to 6:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Joseph Palys, can be reached at (703) 305-9685. The fax number for this Group is (703) 305- 
3718. 

Any inquiry of a general nature or relating to the status of this application should be 
directed to the Group receptionist whose telephone number is (703) 305-9618. 



Robert G. Crockett 




Primary Examiner 




